Programatically remove Gatekeeper exception

Valued Contributor


I’m trying to remove a manual Gatekeeper exception using Terminal using the command 'spctl ——remove /Applications/'. The exception may be (and likely is) present more than once on some client machines.

Adding the exception works fine using the spctl binary, as does searching for it using 'sudo spctl ——list | grep UNLABELED' showing that there is an exception present.

Removing it seems to be problematic, in that the remove command will work intermittently. When it works, it works great, but when it doesn't it returns the following even though the list command shows the whitelist is there:

sudo spctl --remove "/Applications/"
/Applications/ no matches for search or update operation

The exception is still listed:

sudo spctl --list | grep UNLABELED
2721[UNLABELED] P0 allow execute [/Applications/]

I need to perform a mass action and the ID of the exception is obviously not going to be the same on every client, so I’m hoping there’s something simple I’m missing? Resetting Gatekeeper completely seems overkill and will likely result in a lot of tickets to the Helpdesk.

Thanks in advance,



It looks like you can pass a --path variable to the remove flag. I'd give that a shot first. I'm not sure if the --remove flag assumes that what follows it will be a file path and not an exception ID.

If that fails, and exception ID's are guaranteed to work, you can probably work out a sed/awk command to strip everything from the grep after the first [ symbol, then pass that back into spctl --remove.

Nope, that's what I get for posting before finishing testing. The exception IDs don't seem to do anything, I get an invalid API reference error if I try something like spctl --remove 2718. Hopefully the path flag proves useful.

If that doesn't work, it looks like you can assign a label to the offending app's path, then create a rule for all apps with that label. So,

spctl --add --label "DeniedApp" "/Applications/"

spctl --disable -label "DeniedApp"

Valued Contributor

Thank you @wmehilos, I will give the path variable a try. Appreciate the help!

Valued Contributor

Just to follow up on this, I wasn't able to remove using the --path variable, but I was able to get the SHA1 hash of the executable and remove the rules using that:

spctl --remove —-hash aaabbbccc111